DNS problem: looking up CAA for www.wdsd.org: DNSSEC: Bogus

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:wdsd.org

I ran this command:certbot -v renew --cert-name wdsd.org

It produced this output:
certbot -v renew --cert-name wdsd.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/wdsd.org.conf


Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for wdsd.org and www.wdsd.org
Performing the following challenges:
http-01 challenge for www.wdsd.org
Waiting for verification...
Challenge failed for domain www.wdsd.org
http-01 challenge for www.wdsd.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.wdsd.org
Type: dns
Detail: DNS problem: looking up CAA for www.wdsd.org: DNSSEC: Bogus

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate wdsd.org with error: Some challenges have failed.


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/wdsd.org/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.21.0

That says it all. The Let's Encrypt servers are looking for the CAA record in your DNS and getting a faulty response from your DNS system.

It can be reproduced using this tool
https://unboundtest.com/m/CAA/www.wdsd.org/YOK2P7LD

I am not skilled enough with DNS to suggest exactly how to correct this. I could only suggest talking with your DNS provider.

There are other more experienced DNS volunteers here and I already see one starting to type so ...

2 Likes

Your DNS server, while giving a valid answer for the A record, doesn't correctly return that there isn't a result for other record types, like AAAA or CAA. You need to fix your DNS so that your domain name works before you can get a certificate (and before users can reliably get to your domain name).

Just how to fix it depends a lot on the DNS software in use, but pretty anything even halfway-recent should be handling it automatically. But it looks like you might be using Network Solutions for your DNS, which has had a lot of complaints by people around here since it seems like they don't actually know how to run a DNS server.

Here's a somewhat-recent thread about it:

5 Likes

More [of the same] info:
Let's Debug (letsdebug.net)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.